Can hackers take over traffic lights?

A malicious hacker could create paralyzing traffic on North Capitol Street NW in Washington, said Cesar Cerrudo, chief technology officer of security research firm IO Active Labs. But his claims are overblown, District officials said. (Gerald Martineau/For The Washington Post)

Picture this: A hacker walks the streets of Capitol Hill with a laptop and malicious intentions. He crouches to street level, tapping into the city’s traffic sensors during rush hour. Suddenly, downtown traffic signals turn to a constellation of red. Within minutes, streets are a parking lot jammed with cars. Emergency vehicles, paralyzed by traffic, can’t find a clearing. Their sirens echo through a gridlocked city.

It’s a dark scenario out of a dystopian film, but is it plausible?

The question has dogged security analysts and city officials in recent years as testing has revealed vulnerabilities in traffic systems and their operations. Officials with the District Department of Transportation said that this summer, they began a study of the encryption of city traffic sensors after a security researcher said he tapped into the city’s traffic system last year.

Cyberattacks have been, after all, identified as the greatest threat to U.S. national security in recent years by Director of National Intelligence James R. Clapper Jr.

And recent reports highlight how cars can be remotely hacked through their information and entertainment systems. Last month, two security researchers remotely disabled the brakes and steering system of a Jeep Cherokee while it was on a highway by seizing control of the car’s Uconnect information and entertainment dashboard. That prompted a recall of 1.4 million cars by Fiat Chrysler, which said a defect allowed several models, including Jeep Grand Cherokees, Chrysler sedans, Ram pickups and others, to be hacked remotely.

Many wireless devices — cars, planes and even sniper rifles — can be hacked.

So can your morning commute, it turns out.

A few years ago, two Los Angeles traffic engineers hacked into that city’s signal system to slow traffic at key intersections as part of a labor protest. The men programmed the lights to stay red for extremely long periods, causing gridlock. They were charged with felonies and sentenced to probation.

But it was the District that captured the attention of Cesar Cerrudo, chief technology officer of IOActive Labs, an Argentina-based security research firm. Cerrudo walked the streets of Capitol Hill last year with a tracking device, seeking to expose vulnerabilities in the District’s traffic system as part of a nonprofit initiative. He has done the same in New York and other cities, usually with similar results, he said.

Cerrudo said he was able to access traffic data at intersections at Union Station, Capitol Hill, and at Third and Madison streets NW. Were he a malicious hacker, he said, he could have gridlocked the entire city, creating paralyzing traffic on North Capitol Street NW or turning neighborhood roads into bona fide freeways.

Cerrudo said he could change the numbers on electronic speed-limit signs or signal cars idling on ramps to “go” prematurely.

But city officials dispute his findings, saying that Cerrudo’s assertions are overblown.

Michelle B. Phipps-Evans, a spokeswoman for DDOT, called the probability that a hacker could gain access to the city’s traffic signals “highly unlikely” — although she didn’t say it’s impossible. Built-in security protocols prevent traffic lights from displaying four-way green lights, for example, so no “Italian Job”-style fantasies will be playing out in the District anytime soon.

“In the previous media reports, the security researcher asserted that he hacked into traffic sensors that can allow him to change signals from red to green at will,” Phipps-Evans said, referring to an article this summer in the New York Times. “However, with respect to the sensors in the District’s signal network, hacking into the system cannot cause the signals to change arbitrarily.”

A spokesman for Sensys Networks, which has approximately 1,300 sensors gathering traffic-flow data across the District and an additional 200 to 300 detecting vehicles at 26 intersections, said that Cerrudo’s claims are flat wrong. “Mr. Cerrudo has not ‘hacked’ the District’s or any other operational system,” Floyd Williams said.

“A ‘hack’ occurs when existing security protocols are breached or circumvented to gain access to restricted information or intellectual property. No such access has been demonstrated by IOActive,” Williams said.

For his part, Cerrudo said he did not hack the system itself — rather, in a lab setting, he hacked the devices used within it. He said he performed passive tests while walking in the District, checking to see if technology at certain intersections was encrypted or had proper security protections. His conclusion: They weren’t, and they didn’t. His efforts, then, have not gone unnoticed. The city is now reviewing the security of its traffic sensors — particularly how they communicate from the pavement to wireless access points.

The District installed the Sensys sensors about five years ago, Phipps-Evans said, outfitting 25 of the city’s 1,650 intersections with the devices at about $4,000 per intersection. The wireless sensors — round, black devices in the road — are easily removed and reinstalled during construction work. They collect data that makes traffic lights change at optimal times: for example, when cars approach less-used side streets.

If the signals were compromised, Cerrudo says, the cost to the District could far exceed the equipment price tag for each intersection. A sophisticated hack could result in more than $500,000 of equipment lost, with repairs and labor nearing $2 million.

Cerrudo isn’t the only researcher to recently have the idea of testing transportation technology to expose vulnerabilities. Earlier this year, a computer expert managed to hack into a commercial plane’s in-flight entertainment system to make the aircraft briefly fly sideways, according to an FBI warrant.

And a year ago, Branden Ghena lugged two cardboard boxes out of a Michigan road agency. Along with a team of researchers, he climbed into a car and set off for an Ann Arbor research lab with one goal: hack into a city’s traffic system.

The unidentified municipality, as part of a security test, handed over the necessary hardware, including radio systems, network switches and malfunction-management units. But the traffic controllers left out one critical piece of information: passwords.

“It’s partially, I think, ignorance,” said Ghena, a doctoral student at the University of Michigan. “The people who are putting these together are great civil engineers, they’re great at managing traffic and all those things, but security isn’t really something they think about. Their priority is traffic flows.”

The researchers booted up their laptops. They churned out lines of code. They looked up owner’s manuals on Google.

An hour later, they were in. On a cloudy day in May of that year, they lined up near a real traffic light — in a municipality Ghena did not identify — and changed the signal from red to green.

How could it be so easy?

The passwords, it turns out, were easily located. They were in the owner’s manuals.